CVE-2026-56104: Chainlit session hijacking

CISO Take

Chainlit before 2.10.1 allows any unauthenticated attacker who obtains a valid sessionId to fully impersonate an authenticated user by exploiting the WebSocket restore_existing_session path, which performs no ownership verification. With 40 downstream dependents and CWE-862 (Missing Authorization) at its core, this is a straightforward authorization failure that grants the attacker the victim's full permissions and roles — including the ability to invoke AI agent tools and access data the victim was authorized to see. Although attack complexity is rated High (sessionId must be obtained via interception, log exposure, or recon), no privileges or user interaction are required, and there is no active exploitation or public exploit code to date. Teams running Chainlit-based AI frontends should upgrade to 2.10.1 immediately and audit server logs for anomalous WebSocket session restoration events.

Sources: NVD GitHub Advisory ATLAS vulncheck.com

What is the risk?

CVSS 7.4 High with network attack vector and no privileges required positions this as a meaningful risk for any externally or internally exposed Chainlit deployment. Attack complexity is the primary mitigation factor — sessionId theft requires a precondition — but this bar is easily cleared in environments with verbose logging, insecure WebSocket proxies, or shared infrastructure. For AI deployments specifically, the blast radius extends beyond typical web session hijacking: the attacker inherits authorization to invoke LLM agent tools, access conversation history containing potentially sensitive organizational data, and interact with backend integrations configured for the victim user. The package has had 2 prior CVEs, indicating a pattern of security debt in this component.

How does the attack unfold?

Session ID Acquisition

Attacker obtains a valid Chainlit sessionId via network interception on an unencrypted segment, exposed application logs, or browser storage extraction through a co-hosted XSS vector.

AML.T0006

WebSocket Session Restoration

Attacker connects to the target Chainlit WebSocket endpoint and presents the stolen sessionId via the restore_existing_session path, with no credentials or ownership proof required.

AML.T0049

Session Hijack & Privilege Inheritance

Server restores the authenticated session without verifying requestor identity, granting the attacker the victim's full permissions, roles, and configured AI agent tool access.

AML.T0091

Unauthorized Tool Invocation & Data Exfiltration

Attacker operates as the victim, invoking AI agent tools (file reads, API calls, database queries) and extracting conversation history and RAG-retrieved proprietary documents.

AML.T0053

Session ID Acquisition

Attacker obtains a valid Chainlit sessionId via network interception on an unencrypted segment, exposed application logs, or browser storage extraction through a co-hosted XSS vector.

AML.T0006

WebSocket Session Restoration

Attacker connects to the target Chainlit WebSocket endpoint and presents the stolen sessionId via the restore_existing_session path, with no credentials or ownership proof required.

AML.T0049

Session Hijack & Privilege Inheritance

Server restores the authenticated session without verifying requestor identity, granting the attacker the victim's full permissions, roles, and configured AI agent tool access.

AML.T0091

Unauthorized Tool Invocation & Data Exfiltration

Attacker operates as the victim, invoking AI agent tools (file reads, API calls, database queries) and extracting conversation history and RAG-retrieved proprietary documents.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Chainlit	pip	—	No patch
12.2K 40 dependents Pushed 11d ago 67% patched ~7d to patch Full package profile →

Do you use Chainlit? You're affected.

How severe is it?

CVSS 3.1

7.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Patch immediately: upgrade chainlit to >= 2.10.1 (commit 5effb664).
Audit WebSocket access logs for restore_existing_session calls that do not correlate with the originating authenticated session's IP or user-agent.
If immediate patching is blocked, restrict Chainlit to VPN-only or add a reverse proxy layer enforcing additional session binding (IP pinning, token rotation).
Rotate all active sessionIds post-patch to invalidate any potentially hijacked sessions.
Review tool configurations attached to Chainlit sessions and apply least-privilege: disable tool invocations that are not strictly necessary for each user role.
Monitor for lateral movement indicators: unexpected tool invocations or data access patterns from sessions that recently used restore_existing_session.

How is it classified?

Auth Bypass Data Extraction Framework Agent AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0085.001 - AI Agent Tools AML.T0091 - Use Alternate Authentication Material

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system access control

NIST AI RMF

MANAGE-2.2 - Mechanisms to prevent unintended consequences

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-56104?

Chainlit before 2.10.1 allows any unauthenticated attacker who obtains a valid sessionId to fully impersonate an authenticated user by exploiting the WebSocket restore_existing_session path, which performs no ownership verification. With 40 downstream dependents and CWE-862 (Missing Authorization) at its core, this is a straightforward authorization failure that grants the attacker the victim's full permissions and roles — including the ability to invoke AI agent tools and access data the victim was authorized to see. Although attack complexity is rated High (sessionId must be obtained via interception, log exposure, or recon), no privileges or user interaction are required, and there is no active exploitation or public exploit code to date. Teams running Chainlit-based AI frontends should upgrade to 2.10.1 immediately and audit server logs for anomalous WebSocket session restoration events.

Is CVE-2026-56104 actively exploited?

No confirmed active exploitation of CVE-2026-56104 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56104?

1. Patch immediately: upgrade chainlit to >= 2.10.1 (commit 5effb664). 2. Audit WebSocket access logs for restore_existing_session calls that do not correlate with the originating authenticated session's IP or user-agent. 3. If immediate patching is blocked, restrict Chainlit to VPN-only or add a reverse proxy layer enforcing additional session binding (IP pinning, token rotation). 4. Rotate all active sessionIds post-patch to invalidate any potentially hijacked sessions. 5. Review tool configurations attached to Chainlit sessions and apply least-privilege: disable tool invocations that are not strictly necessary for each user role. 6. Monitor for lateral movement indicators: unexpected tool invocations or data access patterns from sessions that recently used restore_existing_session.

What systems are affected by CVE-2026-56104?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, AI agent frontends, RAG system UIs, Agentic AI deployments, Internal AI copilots.

What is the CVSS score for CVE-2026-56104?

CVE-2026-56104 has a CVSS v3.1 base score of 7.4 (HIGH).

What is the AI security impact?

Affected AI Architectures

LLM chat interfacesAI agent frontendsRAG system UIsAgentic AI deploymentsInternal AI copilots

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0085.001 AI Agent Tools

AML.T0091 Use Alternate Authentication Material

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the restore_existing_session path to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.

Exploitation Scenario

An attacker targeting an organization's internal AI assistant (Chainlit + LangChain + RAG over internal docs) first performs reconnaissance to obtain a valid sessionId — through network traffic interception on an unencrypted internal segment, extraction from application logs inadvertently exposed via a misconfigured S3 bucket, or by observing sessionIds embedded in browser local storage via an XSS in a co-hosted app. The attacker then connects to the target's Chainlit WebSocket endpoint and issues a restore_existing_session message with the stolen sessionId. The server, lacking ownership verification, fully restores the authenticated session under the victim's identity. The attacker now operates as the victim: invoking file-read tools to exfiltrate documents indexed in the RAG corpus, issuing queries that extract conversation history containing proprietary business context, and potentially triggering code execution tools if the victim's role permits them — all without ever authenticating.

Weaknesses (CWE)

CWE-862 Missing Authorization CWE-862 Missing Authorization

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.